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Because of the original tight deadline , 
arrangements were ma de through t he Comptroller's 
ATINTQffice to check with | | conceming the 

possibility of a new suspense date. He looked 
into the situation, later reported that 0MB was 
quite "relaxed" about the timing, and he did 
authorize a somewhat indefinite extension. He 
did not specify a new due date. 


SWINTL 



STTATIN 


T-vprnHw Offi r<vr tn the DD/A 


18 Oct 74 
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Distribution: 
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- DD/A Subject w/background (DD/A 74-4071) 


STRATI NT1N0TE: This in response to 


call re how extension on suspense established. 
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1 stujcCT: (optional) p r Q •(- e c -)- j_ on Q f Personal Privacy in Federal 
] Information Systems 

| fRO,A ' John F. Blake 

; Deputy Director for Administration 

j 

EXTENSION 

NO. 

17 OCT PH 

| TO: (Offtosr designation, room number, and 

1 buildin-g) 

s 

L . - ... 

DATE 

OFFICER'S 

INITIALS 

COMMENTS (Number each comment to show from whom 
to whom. Drow a line across column after each comment.) 

RECEIVED 

FORWARDED 

j 1 Director of Central 
] Intelligence 




Sir: 

The attached letter for 
your signature is submitted 
as your response to Dr. Marik, 
OMB, concerning the subject 
circular, which was thoroughl} 
reviewed by and discussed wit! 
representatives from 0GC, 0LC, 
Personnel, Security and ISAS. 
Your letter follows the guide- 
lines suggested by 0LC. 

Recommend you sign this 
letter to Dr. Marik. 

/c/ job r. " 

John F. Blake 
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(17 Oct 74) 


att 


- DC I w/orig 

- ER w/ att 

- DD/A Subject w/att* 

- DD/A Chrono w/att 

- PS 


Ltr fr DCI to Dr. Marik. OMB, subj . '’Protection of Personal 
Privacy in Federal Information Systems" 
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> - r . K o b e rt ft. f- la r i k 

:is sue ante Director for Management 

a ¥ i d Operations 

Office of Management and Budget 
Washing ton, D. C. 20503 

Dear Dr. Marik: 


, 0 _ , iills 1S re Ply to your letter, dated 27 September 
1974, requesting our comments regarding a proposed 0MB 
Circular relating to the Protection of Personal Privacy 
m Federal Information Systems to serve as interim guid- 
ance pending the enactment of legislation or issuance of 
an Executive Order. 


, . As you undoubtedly are aware, the proposed legisla- 
ai?" t5 ?e Executive Order, by granting access to records 
cting intelligence sources and methods, do present 
serious security problems for this Agency. Our position 
has consistently been to request an exemption from most 
of the provisions of these proposals. This position was 
xabt confirmed to Mr, Stanley Ebner, General Counsel, 0MB , 
oy letter dated 4 September 1974 in response to his 
comments on th * "" " 


for 


draft Executive Order entitled. 


request 
”To 


Uotect the Rights of Individuals with Respect to Records 
Maintained About Them by Federal Agencies." 

r . Accordingly, we respectfully request that the Central 
Intelligence Agency be granted a similar exemption from 
tne provisions of the proposed Circular. 


Sincerely , 

U r . E. 

Director 


'7 


Colby * 
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1 - ER 

y- DD/A Subject w/ background* 
I - DD/A Chrorio 
1 - LRM 
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STATINTL 2 

3 


Mer.o dtd 2 7 Sept 74 to Heads of 
Establishments fr AD/Mf T 0/0MB; 
of Personal Privacy in Federal 


Exec. Depts. S 
subj : Protection 
Info rin a t ion Sy s tern n 


(DD/A 


'demo dtd 3 Oct 74 fr 


(Ch 


■ef, ISAS) (DD/A 


/ 4-3 8 7 9 


iueruo dtd 8 Oct 74 to AC/DDA fr D/OJCS (DD/A 74-3925) 


4 - Memo dtd 8 Oct 74 to DD/A fr D/OS (DD/A 74-5928) 

5 - Memo dtd 8 Oct 74 to DD/A fr OGC (DD/A 74-4008) 

6 - Ltr dtd 4 Sept 74 to OMB/General Counsel fr DCI 
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CENTRAL. INTELLIGENCE AGENCY 

Washington, D.C. 20505 

4 SEP 1974 


Mr. Stanley Ebner, General Counsel 
Office of Management and Budget 

"Washington, D. C. 20503 - 

Dear Mr. Ebner: 

This is in reply to your letter dated August 21, 1974, requesting 
our comments concerning a proposed Executive Order entitled, “To 
Protect the Rights of Individuals with Respect to Records Maintained 
About Them by Federal Agencies." 

It is understood that the purpose of Section 5(b) of the proposed 
Order is to exempt the records of the Central Intelligence Agency from 
all provisions except for sections 2(b), 3(b), and 4(c)(1) through 4(c) (4). 
However, in view of the introductory phrasing of section 5, it might 
be argued that the exemption does not apply to CIA records disseminated 
to other agencies. 

In the interest of clarifying this ambiguity, it is requested that 
Section 5 be revised along the following lines: 

“Sec. 5. Except for subsections 2(b), 3(b), — 

and 4(c)(1) - (4) -- 

> “(a) the head of an agency may exempt from 

all or part of the provisions of this Order 
any portion of a system of record which is: “ 

[NOTE: To conform to the format of 
the proposed Order redesignate sub- 
paragraphs (a) and (c) through (g) as 
subparagraphs (1) through (6), respectively. ] 
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"(b) systems of records, or any portion 
thereof, maintained or originated by the 
Central Intelligence Agency shall be 

exempt from the provisions of this Order. " 

* * 

With the above change, we offer no objection to the issuance 
the proposed Executive Order. 


Sincerely, 


/$/ W. E. Colby 

W. E.’ Colby 
Director 


2 
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EXECUTIVE OFFICE OF THE PRESIDENT 

OFFICE OF MANAGEMENT AND BUDGET PD/A 

WASHINGTON. O.O. 20503 


Executive Registry 

1*4-5- 






$EP 2 7 1274 


TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS 

SUBJECT: Protection of Personal Privacy in Federal 

Information Systems 


Enclosed for your review is a proposed 0MB Circular relating 
to the protection of personal privacy in Federal information 
systems. This draft was prepared by a task force of the 
Domestic Council Committee on the Right of Privacy consisting 
of personnel from the Departments of Defense and Commerce, 
the General Services Administration, the Office of Telecom- 
munications Policy and the Office of Management and Budget, 
being coordinated at the request of the Committee 

staff. 


The draft Circular would establish rules for the protection 
of records containing personal data and require each agency 
head to establish an internal program for their implementa- 
tion. As indicated in the draft, it would serve as interim 
guidance pending the enactment of legislation or issuance 
of an executive order. At such time as either a statute or 
an order is approved, further modifications to the Circular 
would likely be required. 


We would appreciate your comments; by October 10, 1974. 

Sincerely, 7 . . 

'// f/f .//'fy / 
f " ' / ’ ■//>' 

Robert H. Marik 



1 Associate Director for 
Management and Operations 


Enclosure 
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OMB Circular A 

TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS 

SUBJECT: Protection of Personal Privacy in Federal Information 

Systems 

I . Purpose 

To establish policies and procedures for assuring that 
personal privacy is given thorough consideration by the Executive 
Branch in its planning, procurement, operation and use of data 
processing and data communications systems and services. 

II . Background 

The Domestic Council Committee on the Right of Privacy 
determined that checks should be incorporated into Federal 
procedures for the planning and procurement of data processing 
and data communications systems and services to assure that 
adequate privacy safeguards are incorporated into such systems. 
While the specific legal and administrative requirements for 
protecting various types of data will continue to develop, there 
already exists considerable agreement on several general principle 
which should be followed in most instances. Concern has arisen 
about the continued development, expansion, modification and 
operation of Federal data processing and data communications 
systems without careful consideration of the need to apply such 
principles . 

As a first step in responding to this concern, this 
Circular sets forth general principles in Section III for 

safeguarding privacy, and procedures in Section IV or determining 
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the application of these principles to each data processing or 
data communications system or service. These procedures are 
intended to be made an integral part of the process of planning, 
procuring and using data processing and data communications 
systems and services within the Executive Branch. Further guidance 
in the form of legislation or executive order is anticipated which 
will delineate additional specific requirements for safeguarding 
privacy with respect to record-keeping systems. 

Ill . Principles 

A. Except as provided in Subsection B of this section, 
each agency utilizing automatic data processing or data 
communications to maintain a system of records* shall assure 
that the following principles are adhered to with respect to 
each such system of records . 

1. There must be a publicly available written statement 
of the existence of the system of records, of the purpose or 
purposes for which the information is vised, and of the agencies 
which are given access to the records. 

2. The information contained in a system of records 
shall be accurate and limited to that which is necessary to 
serve the stated purpose or purposes of the system. 

3. Access to the records in a system of records must 
be limited only to those individuals within each stated user 


* 
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agency whose duties require them to use such information to 

* 

accomplish a stated purpose of the system of records. 

j 

4. No record shall be accessed by, or transferred 
to another agency or per on, other than one of the publicly 
stated user agencies, or for a purpose other than the publicly 
stated purposes without the informed consent of the individual 
subject, unless all of the following criteria are met: 

a. The v ead of the agency with custody of such 
records determines that such transfer is in conformance 
with the law and has formally authorized such transfer, in 
writing, for good and stated reasons; and 

b. The agency with custody of such records 
determines that the recipient will provide safeguards equivalent 
to those maintained by the agency; and 

c. The individual subject is notified promptly 
of such access or transfer; and 

d. A permanent record of such access or transfer 
is retained by the agency with custody of such records. 

5. An individual shall have access to and, if he 
desires, shall be able to obtain a copy of all information 
pertaining to him in such a system of records. 
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6. A procedure must exist whereby an individual can 
request correction of any information about him, appeal within 
the agency the denial of such a request, and if correction 

is denied further, file a statement to become part of his 
record setting forth the nature of the disagreement. 

7 . Reasonable safeguards against unauthorized access 
to such records shall be maintained in accordance with 
applicable guidelines and standards of good practice. 

B. The above principles are to be adhered to except: 

1. Where inconsistent with law or executive order, or 

2. Where the head of an agency has determined that a 
deviation from these principles is in the public interest, and 
has clearly described the nature of the deviation and the 
reasons therefor in a Privacy Safeguards Plan as required below. 

IV . Implementation 

A. Each Federal department or Federal establishment will 
establish an Office of Record for Privacy Safeguard Plans. 

Such plans will be open for inspection by the public. The 
filing of such plans fulfills the requirement of Paragraph A.l. 
of Section III. 

B. Each agency which plans to acquire or modify facilities 
or services for automatic data processing or data communications 
shall : 
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1. Determine wl ether such facilities or services will 

4 

be used to maintain a system of records as defined herein; and 

I 

j 

2. If such determination is negative, file a statement 
to that effect with the 'fice of Record; otherwise 

3. Determine the applicability of the principles 
stated above to each system of records involved; and 

4. Determine the system features required to implement 
all applicable principles; and 

5. Document these determinations in a Privacy Safeguard 
Plan as required below. 

C. Each agency which continues to maintain a system of 
records is required to review and document the determinations 
described . above within four years of the date of this Circular 
unless this is accomplished sooner as a result of actions to 
procure a new system or modify an existing system. 

D. Each unauthorized access or disclosure of personal 
information, each violation of the policies determined to be 
applicable to a system of records, and each significant breach 
of security safeguards designed to protect the confidentiality 

of personal information, which is detected, shall be investigated 
by the agency with custody of such records, and the details of 
the violation, the causes of the violation, and remedial action 
taken shall be documented and retained as a matter of record. 
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E. Privacy Safeguards Plans, including all of the 
information specified in Attachment A, will be prepared or 
amended, approved at the departmental level and filed with the 
Office of Record 30 days prior to any of the following: 

1. initiation of detailed systems design or programming 
efforts which follow the completion of general system design; 

or 

2. initiation of any procurement for system hardware 
or software for a new automated system of records ; or 

3. changes in system hardware, software or adminis- 
trative procedures which affect persons or organizations 
allowed to use the personal information contained in an existing 
automated system of records; or 

4. modification of the data elements included as 
personal information in an automated system of records; or 

5. consolidation or linking of personal data files 
involving different systems of records. 

F. Each Office of Record will maintain an index of ADP 
and data communications systems used within the department or 
agency, including 1) identification of those systems containing 
individually identifiable data and 2) cross references to 
applicable Privacy Safeguard Plans or negative determinations 
required by Section IV, B.2. 
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V . Responsibilities 

A. Each department s and Federal establishment will develop 
and issue instructions to implement this Circular. 


B. The Secretary ( Commerce will provide for development 
and promulgation of Federal Information Processing Standards 
and Guidelines for computer security deemed necessary to safeguard 
personal information maintained in automated systems of records. 


C. The Directo- of the Office of Telecommunications 
Policy will take actions to assure that privacy safeguards are 
fully considered in telecommunications planning activities 
conducted pursuant to OTP policies and directives. 


D. The Administrator of General Services will take action 
to assure that agency procurement requests include certifications 
that privacy safeguards have been fully documented in accordance 
with the provisions of this Circular. The Administrator will 
also assure that privacy safeguards are fully considered and 
incorporated in any GSA plans for interagency shared ADP or 

data communications systems. 

E. The Director of the Office of Management and Budget 
will exercise overall policy guidance to assure that privacy' 
safeguards are properly implemented throughout the Executive 
Branch. 
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VI . Definitions 

A. Syst e m of records means a collection or grouping of 
personal information preserved for future reference or use which 
is indexed or otherwise organized so as to permit such information 
to be retrieved by reference to the names of individuals or 

some identifying numbers or symbols associated with them, and 
is maintained utilizing automatic data processing or data 
communications . 

B. Personal info rm ation means any information which can 
be associated with identifiable individuals through the use of 
names, addresses, social security numbers or other ‘similar items 
or characteristics. 

C. Purpos e means the legally authorized function (s) 
performed by an agency, wi Lch the system is designed to support. 

D. Stated means set out in a Privacy Safeguards Plan. 


Attachment 
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Outline of Contents 
Privacy Safeguards Plan 

1. Identif ication 

1.1 Name of agency 

1.2 Identification of ADP/data communications 
system covered by this plan. 

1.3 Identification of offices responsible for system 
development, and operation. 

2. Purpose 

State the purpose for each system of records containing 
personal information v/hich will utilize the ADP/data 
communications system, and the statutory or other authority 
to collect and maintain information for this purpose. 

3 . Content 

3.1 Define each element of information contained in 
each system of records, and the relationship- of each element 
to the purpose of the system. 

3.2 State the approximate number of individuals on whom 
records will be maintained for each system of records. 

3.3 State the time period for which the records will 
be retained, and the procedure for final disposition of 
the records. 
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4. Agency Access 

4.1 Identify those agencies of the Federal Government, 
and any other organizations , which will be granted access 
to personal data in each system of records, or to whom such 
data may be transferred upon request. State the statutory 
or other basis for such access or transfer, and any criteria 
used to determine whether access or transfer will be permitted 
by such agencies or organizations. 

4.2 Describe the procedures which will be used for 
obtaining informed consent or for implementing the requirements 
for authorization, safeguards determination, notification 

and recording of any release of personal information to 
agencies or organizations other than those identified in 
4.1 above. 

5. User Access 

5.1 State what limits will be placed on access to 
personal information in each system of records, within each 
user agency or organization, to assure that it is accessed 
only by those individuals whose duties require them to use 
the information. 

5.2 Identify the design features which will be included 
in the design of ADP/data communications systems to implement 
the limits described in Section 5.1. 
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6. Individual Subject Access 

* 

6 . 1 Describe the procedures whereby an individual 
may obtain access to and, if desired,' a copy of all 
information pertaining to him in each system of records. 

6.2 Describe the procedures whereby an individual can 
request correction of information about him, appeal such 
request, or file a statement in the system concerning any 
disagreement . 

7. Unauthorized Access 

Identify the system design features and other safeguards 
and procedures which will be used to prevent unauthorized 
access to personal data contained in each system of records , 
and the estimated cost of these features. 

8 . Deviation 

Describe the authority or justification for any deviations 
from the principles contained in Section III. A. of this Order. 
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SECRET 
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Assistant for Coordination 


ACTION 


APPROVAL 


COMMENT 


CONCURRENCE 


DIRECT REPLY 


DISPATCH 


FILE 


INFORMATION 
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PREPARE REPLY 


RECOMMENDATION 


RETURN 


SIGNATURE 


Remarks: 

In line with the discussion of 1 October, 
please assume DD/A action responsibility, 
coordinating witti OP, OS, OJCS and other Agency 
elements as you consider appropriate. I have 
attached some related background, and de fer to 


you whether 


can get 


us some rellei irom tne UMB deadline of 10 October 


— VJL XU ' 

hb has an 8 October suspense at this point. 
Suspense: 7 October 1974. 


-a 


Att: DD/A 74-3812 + background (DD/M5S 73-3564) 

FOLD HERE TO RETURN TO SENDER 


FROM: NAME. ADDRESS AND PHONE NO. 
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MEMORANDUM FOR: Assistant for Coordination/DDA 
SUBJECT : OMB Memo, 27 September 1974 


1. The proposed OMB Circular on the Protection of 
Personnel Privacy in Federal Information Systems, if enacted,* 
would directly impact the creation, maintenance and use of 
computer-based files in six specific areas. These impacts are 
detailed below: 


a. It would be necessary to provide, for each perti- 
nent file, a program to select and list specified records (Para 
III A 5). For some files this capability already exists. 

b. It would be necessary to provide, for each perti- 
nent file, a program to list the name and address of each person 
in the file, so that they could be notified promptly each time 

a file is accessed by or transferred to another Agency or person, 
other than one of the publicly-stated user Agencies (Para III A 
4 c) . For most files this capability does not exist, and in fact, 
many files do not even contain a current mailing address of the 
individual. This would call for the creation of shadow files 
which supplement information in the main files, or for the expan- 
sion of main file record sizes to accommodate the additional re- 
quired information. 

c. Each time a record is accessed by or transferred 

to an Agency, other than one of the publicly stated user Agencies, 
a permanent record of such access or transfer must be retained by 
the custodian Agency (Para III A 4 d) . This would call for the 
creation of shadow files which supplement information in the main 
files, or for the expansion of main file record sizes to accommo- 
date the additional required information. 

d. A procedure must exist whereby an individual can 
request correction of any information about him, appeal within 
the Agency the denial of such a request ("Sorry, Mr. Vladimir, as 
far as we're concerned, you are a KGB agent") , and if correction 
is denied, file a statement to become part of his record setting 


*The force of this Circular is unclear - there are no stated 
penalties for non-compliance, and the role of OMB seems to be 
changing over time . 
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forth the nature of the disagreement ("I am not a KGB agent") . 

(Para III A 6) . This would call for the creation of shadow 
files which supplement information in the main files, or for the 
expansion of main file record sizes to accommodate the additional 
required information. 

e. A record must be maintained of any unauthorized 
access or disclosure of personal information (Para IV D) . This 
would call for the creation of shadow files which supplement in- 
formation in the main files, or for the expansion of main file 
record sizes to accommodate the additional required information. 

f. Privacy safeguard plans must be specified well 

in advance of the use of personal information (Para IV E) . These 
plans would be made at system design time, involving significant 
effort by the computer analyst creating the system. 

2. Depending on the size and use of a system of records, 
the implementation of items a - f above, would add from 25 to 300 
percent to the system cost. The increased costs would be inversely 
proportionate to the complexity of the system, i.e., the cost of 

a very large, complex system would be little affected by these 
personnel privacy considerations. 

3. There are some fuzzy areas in this Circular - for 
example, does a system of records (Para VI A) include paper files 
referenced by a computer-based file? Does this Circular apply 
only to personal privacy considerations of U. S. Nationals; does 
it include aliens in the U. S. or Foreign Nationals? In Attach- 
ment A to the Circular, mention is made of possible deviations 
from the principles contained in Para III A, but no mention of 
how these deviations are adjudicated. Although the circular calls 
for notification to persons named in a file when this file is 
accessed or transferred to another Agency or person, it does not 
call for notification when a record is added to a file, or when 
the file is created . Thus, a person might only discover he was 
part of a file when notified that some other Agency had access 

to the file in question. The careful reader will probably detect 
other such incongruities. 



STATINTL 


HAKRJ?"E'. 

Directoi/' of Join 


FtmWVi'ER 
trComi 


omputer Support 


Approved For Release 2003/06/05 : CIA-RDP84-00780R0058001 3001 1-5 




• ' nn/ft 'M i 

Approved For Release 2003/06/05 : CIA-RDP84-00780R0058001 3001 1-5 

8 OCT 1974 


MEMORANDUM FOR: Deputy Director for Administration 

SUBJECT : Protection of Personal Privacy in 

Federal Information Systems 


REFERENCE : 0MB Memorandum to the Heads of 

Executive Departments and Establish- 
ments, Same Subject, dtd 27 September 1974 


1. This memorandum is for information only. 

2. Pursuant to your request, we have reviewed the 
proposed 0MB circular relating to the Protection of 
Personal Privacy in Federal Information Systems refer- 
enced above. 

3. The Office of Security currently operates the 
following automated personal data information systems 
which would appear to fall within the scope of the 
provisions of the 0MB circular: 

CENBAD (Central Badging System) 

SPECLE (Special Clearance System) 

0SCCAR (Office of Security Case Control and 
Reporting System) 

SANCA (Security Automated Name Check Activity) 

SEAD0RS (Security Automated Dossier Retirement System) 
Holabird Data Link 

Indirectly, all of our security dossiers and polygraph 
files as well as smaller file holdings within the Office 
of Security may also be considered to come under the 
provisions of the 0MB circular. 

4. While we support the concept of the proposal 
put forward by the 0MB, nevertheless, we believe that 
in the interest of national security the DCI would 
necessarily exercise the authority granted to him (as 

an agency head) in Section III B of the proposed circular 
to make exceptions for certain Office of Security files 
from some of the requirements as set forth. In particular. 
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the provision of Section III A 5 granting the right of 
access to individual file subjects to all information 
in their respective files in our view would seriously 
impair our ability to collect investigative material or 
at the very least would make administratively more difficult 
the maintenance of such material. 

5. The implementation of the required Privacy Safe- 
guards Plan would obviously constitute a considerable 
administrative task and would necessitate the commitment 
of manpower and monetary resources beyond those available 
within present constraints. 




Charles W. Kane 
Director of Security 


STATINTL 


2 


Approved For Release 2003/06/05 : CIA-RDP84-00780R0058001 3001 1-5 




DP /A '/'/ -'POOd 

■ Approved For Release 2003/06/05 : CIA-RDP84-00780R0058001 3001 1-5 


OGC 74-1814 
8 October 1974 


MEMORANDUM FOR: Deputy Director for Administration 

SUBJECT: OGC Comments on Proposed Office of Management 

and Budget Circular Entitled "Protection of Personal 
Privacy in Federal Information Systems" 


1. It is the opinion of this Office that the subject circular is objectionable 
because the Agency is not given a specific exemption from its provisions . 
Instead, the draft provides that its provisions will not apply (1) if inconsistent 
with law or executive order, or (2) when the head of an agency determines 
that a deviation from the provisions is in the public interest and specifies the 
nature of the deviation and the reasons therefore in a required Privacy 
Safeguard Plan. Since all systems of records utilized by the Agency are either 
classified or subject to exclusion upon a permissible determination by the 
Director, the general exemption imposes an unnecessary burden upon CIA 

for implementation of the circular. In addition, the concept of a Privacy 
Safeguard Plan (Attachment A to draft circular) is extremely broad and 
demands information and data which this Agency is obligated to protect from 
unauthorized disclosure. 

2 . It is the opinion of this Office that the Agency should be given a 
specific exemption from all provisions of the circular. However, at a minimum, 
the Agency should be exempt from all provisions that go beyond the provisions 
of the proposed Executive Order which were unobjectionable to this Office. 
Those provisions are: 

a . a requirement that information used by an agency 
to make determination about individuals be accurate, relevant, 
timely, and as complete as reasonably necessary to assure 
fairness to the individual; 
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b . a requirement that records or information contained 
therein not be disclosed within the agency other than to employees 
who have a need for the record or information in the performance 
of their duties; and 

c . a requirement that the agency publish annually in the 
Federal Register a notice of the existence and character of its 
systems of records to include: 

(1) the name of the system; 

(2) the categories of individuals on whom records are 
maintained; 

(3) the categories of information maintained; and 

(4) the policies and practices of the agency regarding 
storage, retention, and disposal of the records. 

Logic and consistency seem to suggest that the OMB circular should track the 
proposed Executive Order which has previously been submitted for comment. 


STATINTL 


Office of General Counsel 
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CENTRAL INTELLIGENCE AGENCY 
Washington, D.C. 20505 


OLC 74-1856/a 

4 SEP 1974 


Mr. Stanley Ebner, General Counsel 
Office of Management and Budget 
Washington, D. C. 20503 

Dear Mr. Ebner: 

This is in reply to your letter dated August 21, 1974, requesting 
our comments concerning a proposed Executive Order entitled, "To 
Protect the Rights of Individuals with Respect to Records Maintained 
About Them by Federal Agencies. " 

It is understood that the purpose of Section 5(b) of the proposed 
Order is to exempt the records of the Central Intelligence Agency from 
all provisions except for sections 2(b), 3(b), and 4(c)(1) through 4(c) (4). 
However, in view 'of the introductory phrasing of section 5, it might 
be argued that the exemption does not apply to CIA records disseminated 
to other agencies. 

In the interest of clarifying this ambiguity, it is requested that 
Section 5 be revised along the following lines: 

"Sec. 5. Except for subsections 2(b), 3(b), 
and 4(c)(1) - (4) -- 

"(a) the head of an agency may exempt from 
all or part of the provisions of this Order 
any portion of a system ©f record which is: " 

[NOTE: To conform to the format of 
the proposed Order redesignate sub- 
paragraphs (a) and (c) through (g) as 
i subparagraphs (1) through (6), respectively.] 
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"(b) systems of records, or any portion 
thereof, maintained or originated by the 
Central Intelligence Agency shall be 
exempt from the provisions of this Order. 11 


With the above change, we offer no objection to the issuance 
of the proposed Executive Order. 


Sincerely, 

/M W. K Colby 

W. E.’ Colby 
Director 


Distribution: 

Original - Addressee 
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21 August 1973 


MEMORANDUM FOR: Acting Director of Central Intelligence 
SUBJECT: Automated Personal Data Files 


1. The attached report proposes five principles governing 
automated files on Individual American citizens. It recommends federal 
legislation to reflect these five principles. (The principles are listed 
In Mr, Weinberger's letter to you, q. v. ) . Weinberger and Elliott 
Richardson are now pursuing the development of some form of 
legislation. 

2. CIA's present handling of automated personal data files 
is not In compliance with the five principles. 

3 . I have touched base with Larry Houston, Charlie Kane 
(Security) and Jack Blake (Personnel) , Larry has drafted a response 
with which I agree (attached) which gets on record early our interest 
In participating In a review of existing law, etc. as a prelude to 
possible exception requests. 

4. ) suggest that the Office of the General Counsel be the 
focal point for this matter as it evolves. 


LiEGIB 



Approved For Release 2003/06/05 : CIA-RDP84-00780R0058001 3001 1-5 






Approved For Release 2003/06/05 


ITB 7 ? ~ / i Q_ 

CIA-RDP84-00780R0058001 3001 1 -5 ^ ’ 


73 S i/bji/y# 


3 7 , 




^3 


The Honorable Caspar W. Weinberger 
Secretary of Health, Education, and Welfare 
Washington, D.C, 20201 

Dear Mr. Weinberger: 

Thank you for forwarding to aae your report on automated 
personal data systems entitled Records, Computers, and the Rights 
of Citizens . The report faces a fundamental issue of obvious 
importance and deep concern to both public and private organizations. 

In the body of the report, in connection with personal-data 
record-keeping systems, a distinction is made between administrative 
systems and statistical reporting and research. A further distinction 
is made as to that portion of the administrative records which is 
termed "intelligence records." The report notes that intelligence 
records which are kept as a basis for determining suitability of 
employment, clearance for access to classified national security 
information, and similar purposes may have their utility weakened 
if all the safeguard requirements were applied to all types of 
intelligence records . This is an area in which this Agency would 
be particularly concerned, and we agree that the process of 
considering exceptions for intelligence systems would entail a 
careful review of existing policy, laws, and practices covering 
the creation, maintenance, and use of intelligence records about 
individuals. We believe it essential that this Agency and others 
with similar functions participate in any such review. Since the 
Department of Health, Education, and Welfare is now developing 
legislation and regulations concerning systems within the reach 
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of the Department*# authority, it la apparent that the overall 
review ol intelligence records will take place in a broader 
forum. 1 agree, however, that the report is a useful guide for 
deliberation and action on the important public policy issues it 
addresses. 


Sincerely, 


j^! la r-s 


Vernon A. Walters 
Lieutenant General, USA 
Acting Director 


SWINTL 
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THE SECRETARY OF HEALTH, EDUCATION, AND WELFARE. 

WA SHINGTON, D. C - 20201 


August 9, 1973 


dd/h& s 


i 

Honorable Vernon A. Walters 
Deputy Director, Central Intelligence 
Agency 

Washington, D. C. 20504 
Dear Mr. Walters: 

I am pleased to be able to forward to you the enclosed report on 
issues attending the use of computers and telecommunications tech- 
nology to keep records about individual Americans. Entitled Records , 
Computers, and the Rights of Citizens , the report was prepared for 
me by a public advisory committee that Attorney General Richardson 
appointed in the Spring of 1972 while he was Secretary of Health, 
Education, and Welfare. It represents the considered views and re- 
commendations of a group of knowledgeable and concerned citizens 
who have conducted a year-long examination of record-keeping practices 
associated with the operation of automated personal data systems by 
public and private organizations, 
v 

In my opinion, as I have stated in making the report available to the 
press, the principles underlying the "safeguard requirements" recom- 
mended by the Committee are sound. Computers linked together through 
high-speed data transmission networks are fast becoming the chief means 
of making, storing, and using records about people. If properly con- 
ceived and operated, this application of electronic data processing 
technology promises substantial social benefit. However, because auto- 
mated systems tend to increase the frequency and intensity of our re- 
liance on recorded information, it is important that we have adequate 
mechanisms for assuring citizens all the protections of due process in 
relation to the records we maintain about them. 

The principles of fair record-keeping practice formulated by the Com- 
mittee are the following: 

o There must be no personal-data record-keeping systems 
whose very existence is secret. 
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Page 2 - Honorable Vernon A. Walters 

o There must be a way for an individual to find out what 
information about him is in a record and how it is used. 

o There must be a way for an individual to prevent inform- 
ation about him obtained for one purpose from being used 
or made available for other purposes without his consent. 

.* o There must be a way for an individual to correct or amend 
a record of identifiable information about him. 

o Any organization creating, maintaining, using, or dissemin- 
ating records of identifiable personal data must assure the 
reliability of the data for their intended use and must take 
reasonable precautions to prevent misuse of the data. 

The Department of Health, Education, and Welfare is now developing leg- 
islation and appropriate administrative regulations to assure that these 
five principles govern the operation of all automated personal data 
systems within reach of the Department's authority. I hope that you 
also will find the Committee's report a useful guide to deliberation 
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